Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Microsoft Office vulnerability (CVE-2017-11882) continuously being utilized to download Infostealer malware

    • Updated:
    • 17 Dec 2020
    • Product/Version:
    • Apex One 2019
    • Deep Discovery Email Inspector All
    • Deep Discovery Inspector All
    • Deep Security 12.0
    • OfficeScan XG
    • ScanMail for Exchange 14.0
    • Worry-Free Business Security Advanced 10.0
    • Worry-Free Business Security Standard 10.0
    • Platform:

Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882) is a remote code execution vulnerability which can enable an attacker to execute arbitrary code on the compromised machine. The vulnerability resides on a MS Office component called Equation Editor, an out-of-process COM server hosted by eqnedt32.exe, which was compiled on November 2009 and still being used in supported versions of MS Office without further recompilation. This vulnerability was patched by Microsoft on November 14, 2017 however it’s still being actively used in attacks. Malwares that utilize this exploit usually arrives via malspam campaign as a weaponized Microsoft Office document. The targeted platforms are MS Office 2007, 2010, 2013, and 2016 (including Office 360).

In line with the current events, COVID-19 themed or fake shipping documents, quotation or invoice malspam and phishing mails are used to trick the victim to open the malicious attachment. These attachments are documents such as Word, Excel, and Rich Text Format (RTF) files to leverage the vulnerability and download malware payload on the compromised machine. This vulnerability serves as a downloader for infostealer malware such as FAREIT, LOKI or NEGASTEAL.


  • Downloads information stealer malware such as FAREIT, LOKI or NEGASTEAL
  • Uses Equation Editor to download and execute the malware payload


  • Exploits
  • Download Routine


  • Compromise system security - downloads and installs additional malwares

Additional Threat Reference Information

Infection Chain



Arrives as an Invoice document attachmentInitial AccessT1193 Spearphishing Attachment
File is obfuscated with several invalid control words and whitespacesDefense EvasionT1027 Obfuscated Files or Information
Takes advantage of CVE-2017-11882 exploit upon opening of the documentExecutionT1203 Exploitation for Client Execution
Uses eqnedt32.exe to execute arbitrary codeLateral Movement, ExecutionT1175 Component Object Model and Distributed COM
Downloads and execute malware payload to compromised machineCommand and Control, Lateral MovementT1105 Remote File Copy

Available Solutions

Solution ModulesSolution AvailablePattern BranchRelease DateDetection/Policy/Rules
Email ProtectionYesAS Pattern 5432May 20, 2020-
URL ProtectionYesIn the Cloud--
Advanced Threat Scan Engine (ATSE)Yes15.869.00May 15, 2020EXPL_CVE1711882
Predictive Machine LearningYesIn the Cloud-Downloader.VBA.TRX.XXVBAF01FF007
File detection (VSAPI)YesENT OPR 15.882.05May 21, 2020Trojan.W97M.CVE201711882.SMOH
Network PatternNo---
Behavioral Monitoring (AEGIS)YesTMTD OPR 2121May 22, 2020-
Remove a Malware / Virus
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.